By Morgan Lucas (she/her)

This was a blog series in three parts, because it took a lot to figure out.

What is Terraform?

Hashicorp’s once-open source language used to deploy infrastructure using Infrastructure As Code. Can be used in Azure and AWS — I’ve used it in both.

Why would I want to secure Terraform?

Consistency. In this particular instance, we wanted bucket names to be stylized the same way. You can use tools like rego or tfsec to make sure buckets have proper security settings.

What I Did (Short Version)

• Integrate checks in the pipeline → if it didn’t meet criteria, it wasn’t created with terraform.
• Reiterated via test failures → If it shouldn’t have been created, I tweaked the check.
• Maintained consistency → The same naming convention was essential.

<aside> 1️⃣ This is Part 1

</aside>

As this was contract work, I can't show you the exact code used, but I can tell you that this blog post by Cesar Rodriguez of Cloud Security Musings was quite helpful, as well as this one by Chris Ayers.

The issue is using Rego; I found a cool VS Code Extension; Terrascan Rego Editor, as well as several courses on Styra Academy; Policy Authoring and Policy Essentials.